| *** PagliaccisCloud has quit IRC | 00:09 | |
| *** dave-mccowan has joined #openstack-meeting-alt | 00:12 | |
| *** macza has quit IRC | 00:13 | |
| *** macza has joined #openstack-meeting-alt | 00:15 | |
| *** PagliaccisCloud has joined #openstack-meeting-alt | 00:15 | |
| *** dave-mccowan has quit IRC | 00:18 | |
| *** macza has quit IRC | 00:20 | |
| *** absubram has quit IRC | 00:38 | |
| *** erlon_ has joined #openstack-meeting-alt | 00:48 | |
| *** iyamahat has joined #openstack-meeting-alt | 00:48 | |
| *** iyamahat has quit IRC | 00:50 | |
| *** iyamahat has joined #openstack-meeting-alt | 00:56 | |
| *** stevebaker has joined #openstack-meeting-alt | 01:03 | |
| *** masahito has joined #openstack-meeting-alt | 01:10 | |
| *** masahito has quit IRC | 01:15 | |
| *** gyee has quit IRC | 01:18 | |
| *** yikun has joined #openstack-meeting-alt | 01:27 | |
| *** iyamahat_ has joined #openstack-meeting-alt | 01:39 | |
| *** iyamahat has quit IRC | 01:42 | |
| *** hongbin has joined #openstack-meeting-alt | 01:42 | |
| *** hongbin_ has joined #openstack-meeting-alt | 02:28 | |
| *** hongbin has quit IRC | 02:29 | |
| *** iyamahat_ has quit IRC | 02:52 | |
| *** yamahata has quit IRC | 02:52 | |
| *** erlon_ has quit IRC | 02:57 | |
| *** dpawlik has joined #openstack-meeting-alt | 03:06 | |
| *** dpawlik has quit IRC | 03:10 | |
| *** apetrich has quit IRC | 03:15 | |
| *** hongbin has joined #openstack-meeting-alt | 03:20 | |
| *** hongbin_ has quit IRC | 03:21 | |
| *** rcernin has quit IRC | 03:25 | |
| *** rcernin has joined #openstack-meeting-alt | 03:27 | |
| *** rcernin has quit IRC | 03:28 | |
| *** rcernin has joined #openstack-meeting-alt | 03:28 | |
| *** bhavikdbavishi has joined #openstack-meeting-alt | 03:34 | |
| *** bhavikdbavishi has quit IRC | 03:35 | |
| *** bhavikdbavishi has joined #openstack-meeting-alt | 03:35 | |
| *** hongbin has quit IRC | 03:43 | |
| *** dtrainor_ has joined #openstack-meeting-alt | 03:57 | |
| *** dtrainor_ has quit IRC | 03:57 | |
| *** rf0lc0 has joined #openstack-meeting-alt | 04:28 | |
| *** rfolco has quit IRC | 04:29 | |
| *** PagliaccisCloud has quit IRC | 04:31 | |
| *** bhavikdbavishi has quit IRC | 04:33 | |
| *** PagliaccisCloud has joined #openstack-meeting-alt | 04:36 | |
| *** janki has joined #openstack-meeting-alt | 04:50 | |
| *** PagliaccisCloud has quit IRC | 05:01 | |
| *** sridharg has joined #openstack-meeting-alt | 05:08 | |
| *** kmalloc has quit IRC | 05:14 | |
| *** iyamahat has joined #openstack-meeting-alt | 05:24 | |
| *** diablo_rojo has quit IRC | 05:25 | |
| *** bhavikdbavishi has joined #openstack-meeting-alt | 05:44 | |
| *** PagliaccisCloud has joined #openstack-meeting-alt | 06:06 | |
| *** bhavikdbavishi has quit IRC | 06:06 | |
| *** PagliaccisCloud has quit IRC | 06:27 | |
| *** ccamacho has quit IRC | 06:31 | |
| *** mgagne_ has quit IRC | 06:35 | |
| *** mgagne has joined #openstack-meeting-alt | 06:39 | |
| *** gouthamr has quit IRC | 06:55 | |
| *** bhavikdbavishi has joined #openstack-meeting-alt | 07:01 | |
| *** iyamahat has quit IRC | 07:01 | |
| *** iyamahat has joined #openstack-meeting-alt | 07:09 | |
| *** e0ne has joined #openstack-meeting-alt | 07:11 | |
| *** ccamacho has joined #openstack-meeting-alt | 07:14 | |
| *** bhavikdbavishi has quit IRC | 07:18 | |
| *** apetrich has joined #openstack-meeting-alt | 07:18 | |
| *** ccamacho has quit IRC | 07:21 | |
| *** bhavikdbavishi has joined #openstack-meeting-alt | 07:22 | |
| *** jtomasek has joined #openstack-meeting-alt | 07:26 | |
| *** dpawlik has joined #openstack-meeting-alt | 07:35 | |
| *** dpawlik has quit IRC | 07:42 | |
| *** yamahata has joined #openstack-meeting-alt | 07:52 | |
| *** slaweq has joined #openstack-meeting-alt | 07:53 | |
| *** dpawlik has joined #openstack-meeting-alt | 07:56 | |
| *** kopecmartin|off is now known as kopecmartin | 07:59 | |
| *** apetrich has quit IRC | 08:06 | |
| *** ccamacho has joined #openstack-meeting-alt | 08:22 | |
| *** liuyulong has quit IRC | 08:23 | |
| *** bhavikdbavishi has quit IRC | 08:35 | |
| *** lhinds has quit IRC | 08:36 | |
| *** lhinds has joined #openstack-meeting-alt | 08:37 | |
| *** apetrich has joined #openstack-meeting-alt | 08:38 | |
| *** tetsuro has joined #openstack-meeting-alt | 08:42 | |
| *** priteau has joined #openstack-meeting-alt | 08:47 | |
| *** tetsuro has quit IRC | 08:47 | |
| *** tetsuro has joined #openstack-meeting-alt | 08:48 | |
| *** masahito has joined #openstack-meeting-alt | 08:58 | |
| priteau | #startmeeting blazar | 09:00 |
|---|---|---|
| openstack | Meeting started Tue Dec 18 09:00:03 2018 UTC and is due to finish in 60 minutes. The chair is priteau. Information about MeetBot at http://wiki.debian.org/MeetBot. | 09:00 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 09:00 |
| *** openstack changes topic to " (Meeting topic: blazar)" | 09:00 | |
| openstack | The meeting name has been set to 'blazar' | 09:00 |
| priteau | #topic Roll call | 09:00 |
| *** openstack changes topic to "Roll call (Meeting topic: blazar)" | 09:00 | |
| masahito | o/ | 09:00 |
| priteau | Hello masahito | 09:00 |
| priteau | I spot tetsuro as well | 09:02 |
| tetsuro | 0/ | 09:03 |
| priteau | No bertys however | 09:04 |
| priteau | Well, let's start | 09:04 |
| priteau | Agenda for today is code review and next meetings | 09:05 |
| priteau | #topic Code review | 09:05 |
| *** openstack changes topic to "Code review (Meeting topic: blazar)" | 09:05 | |
| priteau | I see tetsuro's placement patch was just approved | 09:06 |
| masahito | Yes, I added W+1 just now. | 09:07 |
| tetsuro | Thanks a lot. I will begin another series to enable affinity. | 09:07 |
| priteau | masahito: I see you pushed an update to the resource allocation series. I haven't had time to review them this morning but will try to do so today. If I recall correctly it was the unit tests that needed an update. | 09:08 |
| *** bhavikdbavishi has joined #openstack-meeting-alt | 09:08 | |
| masahito | Right. The gate job failure is just I forgot to update unit tests when I changed the response body schema. | 09:09 |
| masahito | I fixed it. | 09:09 |
| priteau | Thank you | 09:10 |
| priteau | Finally we can have this functionality for stein-2 :) | 09:10 |
| priteau | Small patches that are easy to review: | 09:11 |
| priteau | New version of Asmita's patch for min/max IntOpt values: https://review.openstack.org/#/c/625514/ | 09:11 |
| priteau | Mailing list address update… https://review.openstack.org/#/c/625244/ | 09:12 |
| priteau | Another one: https://review.openstack.org/#/c/621925/ | 09:13 |
| priteau | Small typo fix from me: https://review.openstack.org/#/c/625607/ | 09:14 |
| *** jesusaur has quit IRC | 09:15 | |
| priteau | I would like to discuss what to do for the mutable config patch | 09:16 |
| priteau | https://review.openstack.org/#/c/585847/ | 09:16 |
| priteau | There is nothing wrong with the patch itself, it is implemented as it should be | 09:17 |
| priteau | However, it is not possible to use the functionality because blazar-manager doesn't like receiving a SIGHUP | 09:17 |
| masahito | Looks like meaning less patch for current blazar. | 09:18 |
| masahito | I'm okay to go the patch. | 09:18 |
| priteau | I am proposing that we merge the patch but, if we cannot resolve the SIGHUP issue at the time of the Stein release, we create a release note containing an "issues" block | 09:18 |
| *** rcernin has quit IRC | 09:18 | |
| tetsuro | +1. reasonable | 09:20 |
| *** iyamahat has quit IRC | 09:21 | |
| masahito | +1 | 09:21 |
| priteau | I will change the commit message to reflect the fact that it doesn't yet work though | 09:21 |
| *** jesusaur has joined #openstack-meeting-alt | 09:22 | |
| priteau | Updated commit message: https://review.openstack.org/#/c/585847/ | 09:25 |
| priteau | Please review | 09:25 |
| masahito | Done | 09:26 |
| priteau | Great | 09:26 |
| priteau | masahito: Will you push an update to your floating IP spec? There are some comments from Akihiro Motoki. https://review.openstack.org/#/c/609302/ | 09:28 |
| masahito | yes. I'm checking and replying the comment now. | 09:28 |
| masahito | I want to talk Akihiro's comment that Blazar should have a config which declares a set of floating IP address. | 09:29 |
| priteau | What about this approach: | 09:31 |
| masahito | His suggestion is Blazar has a config option to declare 1. a set of IP addresses blazar can assign for floating IPs or 2. a set of IP address ranges blazar cannot assign for floating IPs. | 09:31 |
| priteau | When we create a floating IP in Blazar, Blazar fetches the subnet info from Neutron and verifies that the IP is *not* inside the allocation range | 09:31 |
| priteau | And it checks that the IP *is* within the CIDR network | 09:32 |
| priteau | This way, the admin doesn't have to manually keep the blazar config in sync with the Neutron state | 09:32 |
| priteau | What do you think? | 09:32 |
| masahito | That's what I was thinking for the spec. Of course, it makes sense. | 09:34 |
| priteau | Let's propose this then | 09:35 |
| masahito | Ahh, I didn't mention any validation in the spec. | 09:35 |
| masahito | It would be that's why he commented. | 09:35 |
| masahito | okay, I reply it. | 09:35 |
| priteau | Do you have only the spec or have you started writing some code as well? | 09:37 |
| masahito | nothing | 09:38 |
| priteau | OK. I am in the opposite situation: I have an implementation of network segment reservation (VLAN, VXLAN, etc.) but no spec yet ;-) | 09:39 |
| priteau | The spec for network segments will follow broadly the same approach as floating IP: Blazar can allocate networks outside of the tenant range. | 09:40 |
| priteau | We needed the implementation for internal use, but I think I will be able to write a spec and share it early next year | 09:42 |
| masahito | Nice | 09:43 |
| priteau | I think we've covered most of the patches. Over the next few weeks I hope to make some progress with pushing Chameleon bug fixes upstream, so there will be more to review. | 09:44 |
| *** bhavikdbavishi has quit IRC | 09:45 | |
| masahito | It looks like some bug reports for s-2 are assigned to you now. Do you have time to hit these? If I have time, I can take over some patches. | 09:45 |
| priteau | Many of these already have a fix in Chameleon, it often just needs a test case and a release note | 09:45 |
| *** vishalmanchanda has joined #openstack-meeting-alt | 09:46 | |
| priteau | I will let you know if any don't have anything started that you could work on | 09:46 |
| masahito | got it. | 09:47 |
| *** derekh has joined #openstack-meeting-alt | 09:48 | |
| priteau | 11 minutes left, let's talk about the next meetings. | 09:48 |
| priteau | #topic Next meetings | 09:49 |
| *** openstack changes topic to "Next meetings (Meeting topic: blazar)" | 09:49 | |
| priteau | As you probably know, next Tuesday is Christmas and the Tuesday after is New Year's Day | 09:49 |
| priteau | So I propose that we cancel both meetings | 09:49 |
| masahito | +1 | 09:49 |
| priteau | Next meeting would be on January 8 | 09:49 |
| priteau | That's just after the stein-2 milestone. Will you have some time for code review until then? | 09:51 |
| priteau | (via Gerrit, not IRC meeting) | 09:51 |
| *** erlon_ has joined #openstack-meeting-alt | 09:51 | |
| masahito | I'll work until on 28th Dec and start on 7th Jan. | 09:51 |
| masahito | So I have some days to review the codes. | 09:52 |
| priteau | Great. I will work the rest of this week and maybe some between 26 and 31. Then back on the 7th of Jan | 09:53 |
| priteau | #topic AOB | 09:54 |
| *** openstack changes topic to "AOB (Meeting topic: blazar)" | 09:54 | |
| priteau | Anything else to discuss? | 09:55 |
| masahito | The next Summit and PTG is announced. http://lists.openstack.org/pipermail/openstack-discuss/2018-December/000961.html | 09:56 |
| *** frickler has joined #openstack-meeting-alt | 09:57 | |
| masahito | I'm not sure I can attend it now. | 09:57 |
| priteau | Thanks for sharing. I am not sure I will be there, it's not a great timing for me. | 09:58 |
| priteau | We can discuss closer to the date. Early bird registration is open until February 1st. | 09:59 |
| priteau | That's all for today. Thanks for joining | 09:59 |
| priteau | Have a great holiday season. | 10:00 |
| priteau | #endmeeting | 10:00 |
| *** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/" | 10:00 | |
| openstack | Meeting ended Tue Dec 18 10:00:05 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 10:00 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/blazar/2018/blazar.2018-12-18-09.00.html | 10:00 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/blazar/2018/blazar.2018-12-18-09.00.txt | 10:00 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/blazar/2018/blazar.2018-12-18-09.00.log.html | 10:00 |
| masahito | Have a great holiday! | 10:00 |
| masahito | bye | 10:00 |
| *** masahito has quit IRC | 10:06 | |
| *** erlon_ has quit IRC | 10:08 | |
| *** ttsiouts has joined #openstack-meeting-alt | 10:10 | |
| *** dpawlik has quit IRC | 10:30 | |
| *** dpawlik_ has joined #openstack-meeting-alt | 10:30 | |
| *** pbourke has quit IRC | 10:36 | |
| *** pbourke has joined #openstack-meeting-alt | 10:37 | |
| *** yamamoto has quit IRC | 11:01 | |
| *** ttsiouts has quit IRC | 11:17 | |
| *** ttsiouts has joined #openstack-meeting-alt | 11:18 | |
| *** ttsiouts has quit IRC | 11:22 | |
| *** erlon_ has joined #openstack-meeting-alt | 11:32 | |
| *** yamamoto has joined #openstack-meeting-alt | 11:38 | |
| *** EmilienM|off is now known as EmilienM | 11:41 | |
| *** ttsiouts has joined #openstack-meeting-alt | 11:47 | |
| *** baojg has joined #openstack-meeting-alt | 11:52 | |
| *** bhavikdbavishi has joined #openstack-meeting-alt | 11:52 | |
| *** yamamoto has quit IRC | 11:54 | |
| *** yamamoto has joined #openstack-meeting-alt | 11:54 | |
| *** bhavikdbavishi has quit IRC | 11:56 | |
| *** bhavikdbavishi has joined #openstack-meeting-alt | 11:56 | |
| *** raildo has joined #openstack-meeting-alt | 12:01 | |
| *** tpsilva has joined #openstack-meeting-alt | 12:06 | |
| *** PagliaccisCloud has joined #openstack-meeting-alt | 12:07 | |
| *** janki has quit IRC | 12:17 | |
| *** liuyulong has joined #openstack-meeting-alt | 12:40 | |
| *** e0ne has quit IRC | 12:53 | |
| *** bhavikdbavishi1 has joined #openstack-meeting-alt | 12:59 | |
| *** bhavikdbavishi has quit IRC | 13:00 | |
| *** bhavikdbavishi1 is now known as bhavikdbavishi | 13:00 | |
| *** yamamoto has quit IRC | 13:37 | |
| *** yamamoto has joined #openstack-meeting-alt | 13:38 | |
| *** yamamoto has quit IRC | 13:43 | |
| *** rf0lc0 is now known as rfolco | 13:48 | |
| *** e0ne has joined #openstack-meeting-alt | 13:57 | |
| *** bhavikdbavishi has quit IRC | 13:57 | |
| *** pgodek has joined #openstack-meeting-alt | 14:06 | |
| *** e0ne has quit IRC | 14:07 | |
| *** PagliaccisCloud has quit IRC | 14:20 | |
| *** yamamoto has joined #openstack-meeting-alt | 14:22 | |
| *** e0ne has joined #openstack-meeting-alt | 14:43 | |
| *** ttsiouts has quit IRC | 14:45 | |
| *** ttsiouts has joined #openstack-meeting-alt | 14:46 | |
| *** jgrosso has joined #openstack-meeting-alt | 14:46 | |
| *** dpawlik_ has quit IRC | 14:47 | |
| *** ttsiouts has quit IRC | 14:50 | |
| *** jgrosso has quit IRC | 14:52 | |
| *** bhavikdbavishi has joined #openstack-meeting-alt | 14:57 | |
| *** ttsiouts has joined #openstack-meeting-alt | 14:58 | |
| *** Chenjie_ has joined #openstack-meeting-alt | 15:01 | |
| *** Chenjie_ has quit IRC | 15:02 | |
| *** xyang has joined #openstack-meeting-alt | 15:04 | |
| *** munimeha1 has joined #openstack-meeting-alt | 15:05 | |
| *** wxy| has joined #openstack-meeting-alt | 15:07 | |
| *** Chenjie_ has joined #openstack-meeting-alt | 15:08 | |
| *** hongbin has joined #openstack-meeting-alt | 15:14 | |
| *** Chenjie_ has quit IRC | 15:14 | |
| *** dpawlik has joined #openstack-meeting-alt | 15:16 | |
| *** dpawlik has quit IRC | 15:21 | |
| *** bhavikdbavishi has quit IRC | 15:21 | |
| *** jtomasek has quit IRC | 15:29 | |
| *** vishalmanchanda has quit IRC | 15:35 | |
| *** liuyulong has quit IRC | 15:38 | |
| *** ileixe_ has joined #openstack-meeting-alt | 15:51 | |
| *** ileixe_ is now known as ileixe | 15:54 | |
| *** gagehugo has joined #openstack-meeting-alt | 15:57 | |
| *** ccamacho has quit IRC | 15:59 | |
| lbragstad | #startmeeting keystone | 16:00 |
| openstack | Meeting started Tue Dec 18 16:00:09 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. | 16:00 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 16:00 |
| lbragstad | #link https://etherpad.openstack.org/p/keystone-weekly-meeting | 16:00 |
| *** openstack changes topic to " (Meeting topic: keystone)" | 16:00 | |
| lbragstad | agenda ^ | 16:00 |
| openstack | The meeting name has been set to 'keystone' | 16:00 |
| lbragstad | o/ | 16:00 |
| hrybacki | o/ | 16:00 |
| ileixe | o/ | 16:00 |
| vishakha | o/ | 16:00 |
| gagehugo | o/ | 16:00 |
| lbragstad | wow - better attendance than i was expecting :) | 16:00 |
| *** diablo_rojo has joined #openstack-meeting-alt | 16:01 | |
| cmurphy | o/ | 16:01 |
| wxy| | o/ | 16:02 |
| lbragstad | ok - cool | 16:02 |
| lbragstad | we have quite a bit on the agenda today - so we'll go ahead and get started | 16:02 |
| lbragstad | #topic Upcoming Meetings/Holidays | 16:02 |
| *** openstack changes topic to "Upcoming Meetings/Holidays (Meeting topic: keystone)" | 16:02 | |
| lbragstad | the next two tuesdays fall on holidays | 16:02 |
| lbragstad | so i'm not expecting to hold meetings unless folks *really* want to have one while celebrating | 16:03 |
| lbragstad | otherwise - we'll just pick things back up on January 8th | 16:03 |
| lbragstad | i'll send a note after the meeting with a reminder to the openstack-discuss mailing list | 16:04 |
| lbragstad | #topic Oslo Releases | 16:04 |
| *** openstack changes topic to "Oslo Releases (Meeting topic: keystone)" | 16:04 | |
| lbragstad | kind of related to the holiday schedule | 16:04 |
| lbragstad | bnemec sent a note yesterday about oslo releases | 16:04 |
| lbragstad | #link http://lists.openstack.org/pipermail/openstack-discuss/2018-December/001047.html | 16:04 |
| *** iyamahat has joined #openstack-meeting-alt | 16:05 | |
| bnemec | I'm just about to propose the releases for this week. | 16:05 |
| lbragstad | this is just a reminder that if anyone needs anything from an oslo library for the next few weeks, we'll have to do it soon | 16:05 |
| knikolla | o/ | 16:05 |
| lbragstad | there isn't anything on my radar | 16:05 |
| bnemec | Holding off on privsep because it makes a significant change and I don't want to deal with it over the holidays, but I don't think that will affect keystone. | 16:05 |
| lbragstad | ack | 16:06 |
| * knikolla having a headache, but i'll lurk around. | 16:06 | |
| lbragstad | yeah - we don't use privsep i don't think | 16:06 |
| wxy| | bnemec: does oslo has something like feature freeze time? I wonder if we can have oslo.limit 1.0 release in Stein. | 16:06 |
| bnemec | wxy|: We do have feature freeze, and it's a bit earlier than the OpenStack-wide feature freeze. | 16:07 |
| bnemec | Let me find the details. | 16:07 |
| lbragstad | related to ^ - i pinged jaypipes and johnthetubaguy a few days ago about syncing up on that work | 16:07 |
| wxy| | bnemec: Thanks, I'll pay attention for the deadline. | 16:08 |
| wxy| | lbragstad: ++ | 16:08 |
| lbragstad | prior to berlin, there was a bunch of good discussion on the interface between nova and oslo.limit, but i don't think it has moved since then | 16:08 |
| bnemec | For Rocky, Oslo's feature freeze actually coincided with Keystone's: https://releases.openstack.org/rocky/schedule.html | 16:08 |
| bnemec | Which reminds me I probably need to get that on the Stein schedule. | 16:09 |
| bnemec | Full details are here: http://specs.openstack.org/openstack/oslo-specs/specs/policy/feature-freeze.html | 16:09 |
| lbragstad | if we ask again, we might not get a response this close to the holidays, but it might be worth putting together an action item for the beginning of January to follow up with the nova team on that stuff | 16:09 |
| wxy| | lbragstad: it's good to have. | 16:09 |
| lbragstad | wxy| want to take that one with me? | 16:10 |
| wxy| | lbragstad: sure. | 16:10 |
| lbragstad | #action lbragstad and wxy| to follow up with nova after the holidays about movement on oslo.limit + nova integration | 16:10 |
| lbragstad | cool | 16:10 |
| lbragstad | anything else oslo library related? | 16:10 |
| wxy| | no, thanks | 16:11 |
| lbragstad | thanks wxy| | 16:11 |
| lbragstad | #topic Previous Action Items | 16:11 |
| *** openstack changes topic to "Previous Action Items (Meeting topic: keystone)" | 16:11 | |
| lbragstad | i think the only previous action item we had was to get a spec up for protecting the admin role from being deleted | 16:11 |
| lbragstad | which cmurphy has done | 16:11 |
| lbragstad | #link https://review.openstack.org/#/c/624692/ | 16:11 |
| lbragstad | up for review if you're interested in taking a look ^ | 16:11 |
| lbragstad | #topic Reviews | 16:12 |
| *** openstack changes topic to "Reviews (Meeting topic: keystone)" | 16:12 | |
| lbragstad | does anyone have reviews that need eyes? | 16:12 |
| lbragstad | or anything in review they want to call attention to specifically? | 16:12 |
| cmurphy | https://review.openstack.org/624972 | 16:12 |
| lbragstad | that's the last bit of all the docs work, right? | 16:13 |
| cmurphy | all of the admin guide consolidation/reorg yes | 16:13 |
| cmurphy | i'm still working on the federation guide | 16:13 |
| cmurphy | also interested in people's thoughts on https://review.openstack.org/623928 and the related bug report | 16:13 |
| lbragstad | awesome - thanks for picking up the remaining consolidation bits cmurphy | 16:13 |
| lbragstad | i'll take a look at 623928 today | 16:14 |
| lbragstad | any other reviews people want to bring up? | 16:15 |
| lbragstad | ok - moving on | 16:16 |
| lbragstad | #topic System scope upgrade cases | 16:16 |
| *** openstack changes topic to "System scope upgrade cases (Meeting topic: keystone)" | 16:16 | |
| lbragstad | cmurphy and i have been going through the system scope changes for the projects API | 16:16 |
| lbragstad | and it got me thinking about another case | 16:16 |
| lbragstad | #link https://review.openstack.org/#/c/625732/ | 16:16 |
| lbragstad | i wanted to bring this to the rest of the group to walk through the upgrade, just so we're all on the same page | 16:17 |
| lbragstad | ^ that review is specific to groups (not projects), but it's applicable | 16:17 |
| lbragstad | if you look at #link https://review.openstack.org/#/c/625732/1/keystone/common/policies/group.py | 16:17 |
| lbragstad | you can see that I'm deprecating the previous policies and implementing the system reader role as the default | 16:18 |
| lbragstad | but... that only happens if a deployment sets ``keystone.conf [oslo_policy] enforce_scope=True`` and it's False by default | 16:18 |
| lbragstad | for example the policy for get_group would be '(rule:admin_required or role:reader)' | 16:20 |
| lbragstad | since deprecated policies are handled gracefully by oslo.policy in order to help with upgrade | 16:20 |
| lbragstad | so - if enforce_scope=False (the default), the get_group policy would be accessible by something with the `reader` role on a project | 16:21 |
| cmurphy | what exactly happens when a policy is deprecated? if the operator hasn't changed any defaults and policy is in code, does the new check string take effect or the old check string? | 16:22 |
| lbragstad | good question | 16:22 |
| lbragstad | they are OR'd | 16:22 |
| lbragstad | for example, the current policy for get_group is rule:admin_required | 16:23 |
| lbragstad | and if the new policy ends up being `role:reader`, it will be OR'd with the deprecated policy. | 16:23 |
| lbragstad | this allows operators a window of time to assign users roles for the new default, or make adjustments so that they can either 1. consume the new default or 2. copy/paste the old policy and maintain it as an override | 16:24 |
| cmurphy | so both policies will be allowed - so it's essentially more permissive while it's being deprecated? | 16:25 |
| *** dave-mccowan has joined #openstack-meeting-alt | 16:25 | |
| lbragstad | with that specific example, it is | 16:26 |
| lbragstad | but... the new policy could be something like `role:reader AND system_scope:all` | 16:26 |
| lbragstad | which wouldn't allow someone with the reader role on a project to access the get_group API | 16:27 |
| lbragstad | i'm not a huge fan of encoding scope checks into check strings... | 16:28 |
| lbragstad | and it's redundant with scope_types... but after thinking about this for a week or so.. i'm not sure there is another way to roll out new policies in a backwards compatible way? | 16:28 |
| lbragstad | at least while we have enforce_scope=False by default | 16:28 |
| lbragstad | if enforce_scope=True, then `role:reader` alone would be a bit safer | 16:29 |
| cmurphy | i'm not sure either | 16:29 |
| lbragstad | so far, the best answer i have (which may not be the best) is... | 16:30 |
| lbragstad | 1. deprecate the old policies 2. the new policies have the scope check in the check string :( 3. when we go to remove the old deprecated policies in Train we can clean up the policies to remove the scope checks from the check string | 16:31 |
| bnemec | Do they need to be OR'd? In general I would expect the new rule to just take effect if the operator hasn't overridden the old one. | 16:31 |
| lbragstad | step 3 would also include a change for keystone to set ``keystone.conf [oslo_policy] enforce_scope=True`` | 16:32 |
| lbragstad | bnemec good question | 16:32 |
| lbragstad | the reason why we OR'd them is because if the new rule is less permissive, then we want to make sure operators have time to adjust assignment accordingly so that users can continue to access that API | 16:33 |
| lbragstad | otherwise, it would be possible for operators to break users on upgrade if the new, more restrictive rule, is used exclusively | 16:34 |
| bnemec | How will they know they need to change it though? Is there a warning if it only passes the old, less restrictive rule? | 16:34 |
| * lbragstad grabs a link | 16:34 | |
| lbragstad | http://git.openstack.org/cgit/openstack/oslo.policy/tree/oslo_policy/policy.py#n678 | 16:36 |
| lbragstad | we run that code when we load rules in oslo.policy | 16:36 |
| bnemec | Yeah, I guess that tells them it will change, but it doesn't necessarily tell them whether that's a problem. | 16:37 |
| lbragstad | yeah - that gets tough since it depends on how they have roles setup? | 16:38 |
| bnemec | I guess they would test by explicitly setting the new policy so the deprecated one isn't OR'd in and see if anything breaks. | 16:38 |
| lbragstad | yes - exactly... | 16:38 |
| lbragstad | which is how i've hard to write some of the new keystone protection tests | 16:38 |
| lbragstad | had* | 16:38 |
| bnemec | Yeah, it would be nice if we could be smarter with the warnings, but that would make the logic even more complicated and I already have a hard enough time following it. :-) | 16:39 |
| lbragstad | =/ | 16:39 |
| lbragstad | there certainly isn't a shortage of edge cases here | 16:40 |
| lbragstad | if people want to discuss this though, we can take it to office hours, too | 16:40 |
| lbragstad | my other question was about the organization of #link https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:implement-default-roles | 16:41 |
| bnemec | Sounds good. I don't want to hold up the meeting any more than I already have. | 16:41 |
| vishakha | lbragstad: I will soon update my patches for system scope too. | 16:41 |
| lbragstad | vishakha awesome - that's another reason why i wanted to talk about this as team, since we have multiple people doing the work | 16:42 |
| wxy| | vishakha: ah, good to know, I'll review yours as well. | 16:43 |
| vishakha | lbragstad: Yes will ping you for any doubts related to scopes. Thanks for the updates. | 16:43 |
| lbragstad | i know we have bugs open for the majority of this owrk | 16:43 |
| vishakha | wxy|: thanks :) | 16:43 |
| lbragstad | #link https://bugs.launchpad.net/keystone/+bugs?field.tag=policy | 16:43 |
| lbragstad | but - as the people who have to review this stuff... is there anything I (we) can do organizationally to maintain the chaos/review queue | 16:44 |
| lbragstad | or make it easier for people to review in general | 16:47 |
| cmurphy | not sure there's much that can be done about sheer volume | 16:47 |
| lbragstad | yeah - that's the answer i was afraid of | 16:47 |
| bnemec | Maybe talk to dhellmann. He does a lot of high volume review submission. | 16:48 |
| lbragstad | i wasn't sure if people wanted to team up on specific resources, or have a priority queue of some kind that applied focus to certain areas | 16:48 |
| lbragstad | bnemec oh - good call | 16:48 |
| cmurphy | he does but it's usually distributed across projects | 16:48 |
| cmurphy | so not so much review load on one team | 16:49 |
| lbragstad | i just sympathize with people looking at this and not knowing where to start - so if there is anything i can do to make that easier, i'm all ears | 16:49 |
| bnemec | Yeah, but maybe he has some tricks for distributing it. I know they had a team split up the work for the python3-first stuff. | 16:50 |
| *** e0ne has quit IRC | 16:50 | |
| lbragstad | something we can talk about after the meeting, too | 16:52 |
| lbragstad | few minutes left and there are two more topics, so we can move on for now | 16:53 |
| lbragstad | #topic Tokens with tag attributes | 16:53 |
| *** openstack changes topic to "Tokens with tag attributes (Meeting topic: keystone)" | 16:53 | |
| lbragstad | ileixe o/ | 16:53 |
| ileixe | o/ | 16:53 |
| ileixe | It's about the RFE which returns token with 'tag' attribute. | 16:54 |
| ileixe | tag with project | 16:54 |
| ileixe | we are using the tag for oslo.policy | 16:55 |
| ileixe | for example get_network only for matching tag | 16:55 |
| lbragstad | so - do you have custom policy check strings that are written to check the token directly? | 16:56 |
| ileixe | in credential - yes | 16:56 |
| *** macza has joined #openstack-meeting-alt | 16:56 | |
| lbragstad | e.g., %(target.token.project.tag) | 16:56 |
| ileixe | yes similar | 16:56 |
| ileixe | I heard of system_scope first time in this place.. and this can be used for our purpose though. I'm not sure | 16:57 |
| lbragstad | do you have a more detailed example of why you need to override get_network? | 16:58 |
| ileixe | We have two general scope | 16:58 |
| ileixe | 'dev' 'prod' | 16:58 |
| ileixe | every project include in one of them | 16:58 |
| ileixe | and we have also two network dev_net prod_net | 16:58 |
| ileixe | provider_network they are | 16:59 |
| lbragstad | so 'dev' and 'prod' are not projects or domains? | 16:59 |
| ileixe | yes | 16:59 |
| ileixe | it just | 16:59 |
| ileixe | scheme for our inhouse | 16:59 |
| ileixe | codebase | 16:59 |
| ileixe | we want to make some general scope to restrict resource | 16:59 |
| ileixe | and for now I found 'tag' | 16:59 |
| lbragstad | sure - are you available to discuss this after the meeting in -keystone? | 17:00 |
| ileixe | yes sure | 17:00 |
| lbragstad | ok - cool, meet you over there | 17:00 |
| lbragstad | thanks for the time everyone | 17:00 |
| lbragstad | #endmeeting | 17:00 |
| ileixe | Thanks | 17:00 |
| *** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/" | 17:00 | |
| openstack | Meeting ended Tue Dec 18 17:00:55 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 17:00 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-12-18-16.00.html | 17:01 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-12-18-16.00.txt | 17:01 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/keystone/2018/keystone.2018-12-18-16.00.log.html | 17:01 |
| *** wxy| has quit IRC | 17:03 | |
| *** kopecmartin is now known as kopecmartin|off | 17:05 | |
| *** e0ne has joined #openstack-meeting-alt | 17:13 | |
| *** ttsiouts has quit IRC | 17:14 | |
| *** ttsiouts has joined #openstack-meeting-alt | 17:15 | |
| *** e0ne has quit IRC | 17:19 | |
| *** ttsiouts has quit IRC | 17:19 | |
| *** ileixe has quit IRC | 17:54 | |
| *** gouthamr_ has joined #openstack-meeting-alt | 17:54 | |
| *** cloudrancher has quit IRC | 17:55 | |
| *** iyamahat has quit IRC | 17:57 | |
| *** cloudrancher has joined #openstack-meeting-alt | 17:57 | |
| *** yamahata has quit IRC | 17:57 | |
| *** derekh has quit IRC | 18:01 | |
| *** iyamahat has joined #openstack-meeting-alt | 18:11 | |
| *** PagliaccisCloud has joined #openstack-meeting-alt | 18:20 | |
| *** yamahata has joined #openstack-meeting-alt | 18:31 | |
| *** e0ne has joined #openstack-meeting-alt | 18:34 | |
| *** e0ne has quit IRC | 18:40 | |
| *** gyee has joined #openstack-meeting-alt | 18:48 | |
| *** priteau has quit IRC | 18:58 | |
| *** sridharg has quit IRC | 19:05 | |
| *** e0ne has joined #openstack-meeting-alt | 19:05 | |
| *** erlon_ has quit IRC | 20:04 | |
| *** jtomasek has joined #openstack-meeting-alt | 20:29 | |
| *** erlon has joined #openstack-meeting-alt | 20:32 | |
| *** jtomasek has quit IRC | 20:34 | |
| *** gagehugo has left #openstack-meeting-alt | 20:37 | |
| *** PagliaccisCloud has quit IRC | 21:04 | |
| *** hongbin has quit IRC | 21:09 | |
| *** hongbin has joined #openstack-meeting-alt | 21:09 | |
| *** dpawlik has joined #openstack-meeting-alt | 21:12 | |
| *** dpawlik has quit IRC | 21:22 | |
| *** rcernin has joined #openstack-meeting-alt | 21:22 | |
| *** tpsilva has quit IRC | 21:31 | |
| *** raildo has quit IRC | 21:36 | |
| *** rcernin has quit IRC | 21:37 | |
| *** dpawlik has joined #openstack-meeting-alt | 21:37 | |
| *** dpawlik has quit IRC | 21:42 | |
| *** e0ne has quit IRC | 21:51 | |
| *** rcernin has joined #openstack-meeting-alt | 22:04 | |
| *** munimeha1 has quit IRC | 22:05 | |
| *** rcernin has quit IRC | 22:37 | |
| *** rcernin has joined #openstack-meeting-alt | 22:41 | |
| *** rcernin has quit IRC | 22:43 | |
| *** rcernin has joined #openstack-meeting-alt | 22:45 | |
| *** masahito has joined #openstack-meeting-alt | 23:03 | |
| *** efried has joined #openstack-meeting-alt | 23:29 | |
| *** efried has quit IRC | 23:34 | |
| *** dave-mccowan has quit IRC | 23:56 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!